The Threat of Covert Channels in Network Time Synchronisation Protocols

Authors

DOI:

https://doi.org/10.13052/jcsm2245-1439.1123

Keywords:

Network Covert Channels, Covert Channels, Time Synchronization, Network Time Protocol, Precision Time Protocol, Information Hiding, Steganography

Abstract

Synchronized clocks are vital for most communication scenarios in networks of Information Technology (IT) and Operational Technology (OT). The process of time synchronisation requires transmission of high-precision timestamps often originating from external sources. In this paper, we analyze how time synchronization protocols impose a threat by being leveraged as carrier for network covert channels.

This paper is an extended version version of our open-access paper [15] in which we performed an in-depth analysis of the Network Time Protocol (NTP) in regards to covert channels. In this extended version, we broaden the view and take a look and time synchronisation in a more general way as we provide two comprehensive threat scenarios regarding covert channels and discuss the applicability of such covert channels to another time synchronisation protocol, namely the Precision Time Protocol, PTP. While the Network Time Protocol (NTP) is the most prevalent protocol for synchronizing clocks in IT networks, the Precision Time Protocol (PTP) is mostly found in networks of Industrial Control Systems (ICS) due to higher demands regarding accuracy and resolution. To illustrate the threat of covert channels in such protocols we describe two threat scenarios, one for the Network Time Protocol and one for the Precision Time Protocol. For NTP we perform a systematic in-depth analysis of covert channels. Our analysis results in the identification of 49 covert channels, by applying a covert channel pattern-based taxonomy. The summary and comparison based on nine selected key attributes show that NTP proofs itself as a plausible carrier for covert channels. The analysis results are evaluated in regards to common behavior of NTP implementations in six major operating systems. Two channels are selected and implemented to be evaluated in network test-beds. By hiding encrypted high entropy data in a high entropy field of NTP we show in our first assessment that practically undetectable channels can be implemented in NTP, motivating the required further research. In our evaluation, we analyze 40,000 NTP server responses from public NTP server providers and discuss potential countermeasures. Finally, we discuss the relevance, applicability and resulting threat of these findings for the Precision Time Protocol.

Downloads

Download data is not yet available.

Author Biographies

Kevin Lamshöft, Otto-von-Guericke University Magdeburg, Germany

Kevin Lamshöft is a research assistant and PhD student at the Otto-von-Guericke University Magdeburg Germany. His research topics are located in the field of Cyber Security (especially IT/OT Security regarding Cyber Physicals Systems, Industry 4.0 and the Internet of Things) and (Network-) Steganography/Information Hiding/Covert Channels/Side Channels.

Jonas Hielscher, Otto-von-Guericke University Magdeburg, Germany

Jonas Hielscher is a research assistant and PhD student at the Horst Görtz Institute for IT Security in Bochum Germany, where he is part of the interdisciplinary phd program SecHuman. His research area is Human-Centred Security with a special focus on productivity-friendly IT Security solutions for organizations. He received his M.Sc. from Otto-von-Guericke University Magdeburg where he also was a research assistant at the Advanced Multimedia and Security Lab.

Christian Krätzer, Otto-von-Guericke University Magdeburg, Germany

Christian Krätzer studied Computer Science at the Otto-von-Guericke University Magdeburg, Germany and joined the Advanced Multimedia and Security Lab (AMSL) in 2004, where he is still working as a post-doc researcher. He has a PhD in Computer Science and his research focuses on issues of performance and trust in applied pattern recognition and information fusion.

Jana Dittmann, Otto-von-Guericke University Magdeburg, Germany

Jana Dittmann studied Computer Science and Economy at the Technical University in Darmstadt. She has been a Professor in the field of multimedia and security at the University of Otto-von-Guericke University Magdeburg since September 2002. Jana Dittmann is the leader of the Advanced Multimedia and Security Lab (AMSL) at Otto-von-Guericke University Magdeburg (OvGU) specialised in multimedia specific aspects of security from the technical and computer science dimension as well as from the user perception, user interaction and legal dimension. AMSL is partner in national and international research projects and has a wide variety of well recognized publications in the fields.

References

A. Malhotra and S. Goldberg. Message Authentication Code for the Network Time Protocol. Internet Engineering Task Force, June 2019. https://www.rfc-editor.org/rfc/rfc8573.html.

Aidin Ameri and Daryl Johnson. Covert Channel over network time protocol. In Proceedings of the 2017 International Conference on Cryptography, Security and Privacy, ICCSP ’17, page 62–65, New York, NY, USA, 2017. Association for Computing Machinery.

M. Bishop. A security analysis of the NTP protocol version 2. In [1990] Proceedings of the Sixth Annual Computer Security Applications Conference, pages 20–29, 1990.

Christian Cachin. An Information-Theoretic Model for Steganography. Inf. Comput., 192(1):41–56, July 2004.

L. Caviglione, M. Gaggero, J. Lalande, W. Mazurczyk, and M. Urbański. Seeing the unseen: Revealing mobile malware hidden communications via energy consumption and artificial intelligence. IEEE Transactions on Information Forensics and Security, 11(4):799–810, 2016.

Rajarathnam Chandramouli and Nasir Memon. Steganography capacity: A steganalysis perspective. Proc SPIE, pages 173–177, 06 2003.

chrony. Comparison of NTP implementation. August 2018. https://chrony.tuxfamily.org/comparison.html.

Takuji Ebinuma. GPS-SDR-SIM, December 2021. https://github.com/osqzss/gps-sdr-sim.

P. Ferrari, P. Bellagente, A. Depari, A. Flammini, M. Pasetti, S. Rinaldi, and E. Sisinni. Evaluation of the impact on industrial applications of ntp used by iot devices. In 2020 IEEE International Workshop on Metrology for Industry 4.0 IoT, pages 223–228, 2020.

D. Franke and A. Malhotra. NTP Client Data Minimization. Internet Engineering Task Force, 2019. https://tools.ietf.org/id/draft-ietf-ntp-data-minimization-04.html.

D. Franke, D. Sibold, K. Teichel, M. Dansarie, and R. Sunblad. Network Time Security. Internet Engineering Task Force, March 2020. https://tools.ietf.org/html/draft-ietf-ntp-using-nts-for-ntp-28.

Jessica Fridrich. Steganography in Digital Media: Principles, Algorithms, and Applications. Cambridge University Press, USA, 1st edition, 2009.

B. Haberman, D. Mills, and U. Delaware. Network Time Protocol Version 4: Autokey Specification. Internet Engineering Task Force, June 2010. https://tools.ietf.org/html/rfc5906.

Mark Handley, Vern Paxson, and Christian Kreibich. Network Intrusion Detection: Evasion, Traffic Normalization, and End-to-End Protocol Semantics. In Proceedings of the 10th Conference on USENIX Security Symposium – Volume 10, SSYM’01, USA, 2001. USENIX Association.

Jonas Hielscher, Kevin Lamshöft, Christian Krätzer, and Jana Dittmann. A systematic analysis of covert channels in the network time protocol. In The 16th International Conference on Availability, Reliability and Security, pages 1–11, 2021.

Mario Hildebrandt, Robert Altschaffel, Kevin Lamshöft, Matthias Lange, Martin Szemkus, Tom Neubert, Claus Vielhauer, Yongjian Ding, and Jana Dittmann. Threat analysis of steganographic and covert communication in nuclear I&C systems. In International Conference on Nuclear Security 2020, Februray 2020.

IEEE. IEEE 1588-2002 – IEEE Standard for a Precision Clock Synchronization Protocol for Networked Measurement and Control Systems. https://standards.ieee.org/standard/1588-2002.html.

IEEE. IEEE 1588-2008 – IEEE Standard for a Precision Clock Synchronization Protocol for Networked Measurement and Control Systems. https://standards.ieee.org/standard/1588-2008.html.

IEEE. IEEE 1588-2019 – IEEE Standard for a Precision Clock Synchronization Protocol for Networked Measurement and Control Systems. https://standards.ieee.org/standard/1588-2019.html.

Internet Assigned Numbers Authority. NTP Kiss-o’-Death Codes. Network Time Protocol (NTP) Parameters, March 2010. https://www.iana.org/assignments/ntp-parameters/ntp-parameters.xhtml.

P. Jeitner, H. Shulman, and M. Waidner. Pitfalls of Provably Secure Systems in Internet the Case of Chronos-NTP. In 2020 50th Annual IEEE-IFIP International Conference on Dependable Systems and Networks-Supplemental Volume (DSN-S), pages 49–50, 2020.

P. Jeitner, H. Shulman, and M. Waidner. The Impact of DNS Insecurity on Time. In 2020 50th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), pages 266–277, 2020.

Kevin Lamshöft and Jana Dittmann. Assessment of hidden channel attacks: Targetting modbus/tcp. IFAC-PapersOnLine, 53(2):11100–11107, 2020. 21th IFAC World Congress.

Kevin Lamshöft, Tom Neubert, Mathias Lange, Robert Altschaffel, Mario Hildebrandt, Yongjian Ding, claus Vielhauer, and Jana Dittmann. Novel challenges for anomaly detection in i&c networks: Strategic preparation for the advent of information hiding based attacks. Atw. Atomwirtschaft, 65:504–508, 10 2020.

Norka B. Lucena, Grzegorz Lewandowski, and Steve J. Chapin. Covert channels in ipv6. In George Danezis and David Martin, editors, Privacy Enhancing Technologies, pages 147–166, Berlin, Heidelberg, 2006. Springer Berlin Heidelberg.

Wojciech Mazurczyk and Luca Caviglione. Information Hiding as a Challenge for Malware Detection. IEEE Security & Privacy, 13(2):89–93, Mar 2015.

Wojciech Mazurczyk, Przemysław Szary, Steffen Wendzel, and Luca Caviglione. Towards Reversible Storage Network Covert Channels. In Towards Reversible Storage Network Covert Channels, 08 2019.

Wojciech Mazurczyk, Steffen Wendzel, and Krzysztof Cabaj. Towards Deriving Insights into Data Hiding Methods Using Pattern-based Approach. In Towards Deriving Insights into Data Hiding Methods Using Pattern-based Approach, 08 2018.

Wojciech Mazurczyk, Steffen Wendzel, Sebastian Zander, Amir Houmansadr, and Krzysztof Szczypiorski. Background Concepts, Definitions, and Classification in Information Hiding in Communication Networks: Fundamentals, Mechanisms, Applications, and Countermeasures, chapter 2, pages 39–58. John Wiley & Sons, Ltd, 2016.

Wojciech Mazurczyk, Steffen Wendzel, Sebastian Zander, Amir Houmansadr, and Krzysztof Szczypiorski. Information Hiding in Communication Networks: Fundamentals, Mechanisms, and Applications. Wiley-IEEE Press, 03 2016.

Wojciech Mazurczyk, Steffen Wendzel, Sebastian Zander, Amir Houmansadr, and Krzysztof Szczypiorski. Network Steganography Countermeasures, chapter 8, pages 207–242. John Wiley & Sons, Ltd, 2016.

Aleksandra Mileva and Boris Panajotov. Covert channels in tcp/ip protocol stack – extended version-. Central European Journal of Computer Science, 4:45–66, 06 2014.

Aleksandra Mileva, Aleksandar Velinov, Laura Hartmann, Steffen Wendzel, and Wojciech Mazurczyk. Comprehensive analysis of mqtt 5.0 susceptibility to network covert channels. Computers & Security, 104:102207, 2021.

D. Mills. Simple Network Time Protocol (SNTP) Version 4 for IPv4, IPv6 and OSI, January 2006. https://tools.ietf.org/html/rfc4330.

D. Mills. Control Messages Protocol for Use with Network Time Protocol Version 4, October 2011. https://tools.ietf.org/id/draft-odonoghue-ntpv4-control-00.html.

D. Mills, J. Martin, J. Burbank, and W. Kasch. Network Time Protocol Version 4: Protocol and Algorithms Specification. Internet Engineering Task Force, 06 2010. https://tools.ietf.org/html/rfc5905.

Steven J. Murdoch and Stephen Lewis. Embedding covert channels into tcp/ip. In Mauro Barni, Jordi Herrera-Joancomartí, Stefan Katzenbeisser, and Fernando Pérez-González, editors, Information Hiding, pages 247–261, Berlin, Heidelberg, 2005. Springer Berlin Heidelberg.

NTP FAQ. How should I provide NTP services for a huge network? September 2019. https://www.ntp.org/ntpfaq/NTP-s-config-adv.htm.

Stephen Röttger. Analyse des NTP-Autokey-Verfahrens (German). TU Braunschweig – Institut für Theoretische Informatik, September 2011.

Tobias Schmidbauer and Steffen Wendzel. Covert Storage Caches using the NTP Protocol. ARES 2020: Proceedings of the 15th International Conference on Availability, Reliability and Security, 2020.

C. E. Shannon. A mathematical theory of communication. The Bell System Technical Journal, 27(3):379–423, 1948.

SIMARGL. Stegware – the latest trend in cybercrime. February 2019. https://simargl.eu/blog/technical/stegware-the-latest-trend-in-cybercrime.

Calnex Solutions. Implementing ieee 1588v2 for use in the mobile backhaul, 2009.

Endace Technology. Ieee 1588 ptp clock synchronization over a wan backbone, 2016. https://www.endace.com/ptp-timing-whitepaper.

Timur Snoke. Best Practices for NTP Services. April 2017. https://insights.sei.cmu.edu/sei_blog/2017/04/best-practices-for-ntp-services.html.

Nikolaos Tsapakis. Alternative communication channel over NTP. Virus Bulletin, April 2019. https://www.virusbulletin.com/virusbulletin/2019/04/alternative-communication-channel-over-ntp/.

Steffen Wendzel. Get Me Cited, Scotty! Analysis of Citations in Covert Channel/Steganography Research. In Proceedings of the 13th International Conference on Availability, Reliability and Security, ARES 2018, New York, NY, USA, 2018. Association for Computing Machinery.

Steffen Wendzel, Luca Caviglione, Wojciech Mazurczyk, Aleksandra Mileva, Jana Dittmann, Christian Krätzer, Kevin Lamshöft, Claus Vielhauer, Laura Hartmann, Jörg Keller, and Tom Neubert. A Revised Taxonomy of Steganography Embedding Patterns. In The 16th International Conference on Availability, Reliability and Security, ARES 2021, pages 1–12, New York, NY, USA, August 2021. Association for Computing Machinery.

Steffen Wendzel, Wojciech Mazurczyk, Luca Caviglione, and Michael Meier. Hidden and Uncontrolled – On the Emergence of Network Steganographic Threats. In Helmut Reimer, Norbert Pohlmann, and Wolfgang Schneider, editors, ISSE 2014 Securing Electronic Business Processes, pages 123–133, Wiesbaden, 2014. Springer Fachmedien Wiesbaden.

Steffen Wendzel, Sebastian Zander, Bernhard Fechner, and Christian Herdin. Pattern-Based Survey and Categorization of Network Covert Channel Techniques. ACM Computing Surveys, 47:50:1–26, 04 2015.

Andreas Westfeld and Andreas Pfitzmann. Attacks on steganographic systems. In Andreas Pfitzmann, editor, Information Hiding, pages 61–76, Berlin, Heidelberg, 2000. Springer Berlin Heidelberg.

Wireshark. Protocols/ptp – The Wireshark Wiki. https://wiki.wireshark.org/Protocols/ptp, 2021.

Sebastian Zander, Grenville Armitage, and Philip Branch. Covert channels and countermeasures in computer network protocols. IEEE Communications Surveys and Tutorials, 9:44–57, 09 2007.

Elzbieta Zielińska, Wojciech Mazurczyk, and Krzysztof Szczypiorski. Trends in steganography. Commun. ACM, 57(3):86–95, March 2014.

Downloads

Published

2022-03-22

Issue

Section

ARES2021